User:Rewood/Email Spoofing (or "you just sent me an email virus")

From WolfTech
< User:Rewood
Revision as of 12:36, 22 March 2006 by Rewood (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The Klez worm, in particular, is notorious for "spoofing" its origins. It may appear that you sent a Klez-infected email to someone, when the facts are that (1) your computer is not infected and (2) you didn't even send the email.

You may even get messages from others claiming that you sent them a virus, when you're completely innocent.

How that happens is explained below.

The following is an excerpt from http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html

This worm often uses a technique known as "spoofing." When it performs its email routine. it can use a randomly chosen address that it finds on an infected computer as the "From:" address, numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to someone else.

For example, Linda Anderson is using a computer that is infected with W32.Klez.H@mm. Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.H@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" portion of an infected message that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her an infected message, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.

If you are using a current version of Norton AntiVirus and have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.

  • There have been several reports that, in some cases, if you receive a message that the virus has sent using its own SMTP engine, the message appears to be a "postmaster bounce message" from your own domain.

For example, if your email address is jsmith@anyplace.com, you could receive a message that appears to be from postmaster@anyplace.com, indicating that you attempted to send email and the attempt failed. If this is the false message that is sent by the virus, the attachment includes the virus itself. Of course, such attachments should not be opened.

  • The message may be disguised as an immunity tool.

One version of this false message is as follows:

Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.

Retrieved from "https://tools.wolftech.ncsu.edu/support/index.php?title=User:Rewood/Email_Spoofing_(or_%22you_just_sent_me_an_email_virus%22)&oldid=3225"